Snaps, Crackle, Pops or Get Your Wheatys

Some things about windbg are just great. But often, they come with a little bit of work.For one, dll load analysis can be performed with ease, even on unusually crafted files. Like the kinds of files you would see from hackers and eventually malware authors. Want to review the entire flow of process creation on a malformed PE? No problem.You can do it in a snap with windbg. Or rather, you can use windbg to observe and understand how the process loader performs its work, including “loader snaps” (which doesn’t get mention in Russinovich’s Internals books). Unfortunately, I couldn’t get the provided Gflag utility to help enable “Show loader snaps” as Matt Pietrek at wheaty.net informed us way back, when he showed off snappy output from his debugger. But his article is an inspiration to understanding loader internals. It detailed enabling loader snaps using the gflag utility and its results — “captures detailed information about the loading and unloading of executable images and their supporting library modules….For per-process (image file): Whenever a DLL is loaded, this flag writes the loader contents (and data related to DLL loading) to the program debugger console”. This article is a great source of information for trying to analyze these sorts of very unusual binaries.

Windbg can break extremely early in the load process, so we can choose a breakpoint within the dll loaded first into any process, even before kernel32.dll loads — ntdll!LdrpInitialize. When the debugger breaks, we can set ntdll’s ShowSnaps global flag to “1″ early enough to see all the modules loading and their corresponding user-mode debug Snap messages:0:000> dw ShowSnaps L17c97c121 00000:000> ew ShowSnaps 10:000> dw ShowSnaps L17c97c121 0001

Now we run our harmless sample and wait for the loader data we are looking for:0:000> gLDR: PID: 0xe38 started – ‘C:vxtiny.exe’LDR: NEW PROCESS Image Path: C:vxtiny.exe (tiny.exe) Current Directory: C:Program FilesDebugging Tools for Windows Search Path: C:vx;C:WINDOWSsystem32;C:WINDOWSsystem;C:WINDOWS;.;C:Program FilesDebugging Tools for Windowswinextarcade;LDR: LdrLoadDll, loading kernel32.dll fromModLoad: 7c800000 7c8f5000 C:WINDOWSsystem32kernel32.dllLDR: ntdll.dll used by kernel32.dllLDR: Snapping imports for kernel32.dll from ntdll.dllLDR: LdrGetProcedureAddress by NAME – BaseProcessInitPostImport[e38,74c] LDR: Real INIT LIST for process C:vxtiny.exe pid 3640 0xe38[e38,74c] C:WINDOWSsystem32ntdll.dll init routine 7C913156[e38,74c] C:WINDOWSsystem32kernel32.dll init routine 7C80B5AE[e38,74c] LDR: ntdll.dll loaded – Calling init routine at 7C913156[e38,74c] LDR: kernel32.dll loaded – Calling init routine at 7C80B5AELDR: LdrGetProcedureAddress by NAME – BaseQueryModuleDataLDR: \66.93.68.6z used by tiny.exeLDR: Loading (STATIC, NON_REDIRECTED) \66.93.68.6zModLoad: 10000000 10000370 \66.93.68.6zLDR: USER32.dll used by zModLoad: 7e410000 7e4a0000 C:WINDOWSsystem32USER32.dllLDR: GDI32.dll used by USER32.dllModLoad: 77f10000 77f57000 C:WINDOWSsystem32GDI32.dllLDR: KERNEL32.dll used by GDI32.dllLDR: Snapping imports for GDI32.dll from KERNEL32.dllLDR: LdrGetProcedureAddress by NAME – RtlDeleteCriticalSectionLDR: LdrGetProcedureAddress by NAME – RtlLeaveCriticalSectionLDR: LdrGetProcedureAddress by NAME – RtlEnterCriticalSectionLDR: LdrGetProcedureAddress by NAME – RtlSetLastWin32ErrorLDR: LdrGetProcedureAddress by NAME – RtlGetLastWin32ErrorLDR: ntdll.dll used by GDI32.dllLDR: Snapping imports for GDI32.dll from ntdll.dllLDR: USER32.dll used by GDI32.dllLDR: Snapping imports for GDI32.dll from USER32.dllLDR: Snapping imports for USER32.dll from GDI32.dllLDR: KERNEL32.dll used by USER32.dllLDR: Snapping imports for USER32.dll from KERNEL32.dllLDR: LdrGetProcedureAddress by NAME – RtlReAllocateHeapLDR: LdrGetProcedureAddress by NAME – RtlSizeHeapLDR: LdrGetProcedureAddress by NAME – RtlSetLastWin32ErrorLDR: LdrGetProcedureAddress by NAME – RtlGetLastWin32ErrorLDR: LdrGetProcedureAddress by NAME – RtlAllocateHeapLDR: LdrGetProcedureAddress by NAME – RtlFreeHeapLDR: ntdll.dll used by USER32.dllLDR: Snapping imports for USER32.dll from ntdll.dllLDR: Snapping imports for z from USER32.dllLDR: Snapping imports for tiny.exe from \66.93.68.6z

Snap and dll load data of all sorts is provided for further exploration and analysis. We can investigate exactly when and how each dll is loaded from within this malformed PE file with windbg’s help.

An exhaustive source of information on the process of dll loading can be found on the Win2k loader here by Russ Osterlund.